Perfect, i'll have a look at it. Thanks On Thu, Nov 17, 2022 at 9:09 PM Bradley Wagner < bradley.wag...@hannonhill.com> wrote:
> Yes. I believe the feature you are after is the SecureUberspecter which can > be used to restrict access to various packages and the ability to arbitrary > instantiate classes through reflection. > > > https://velocity.apache.org/engine/2.3/apidocs/org/apache/velocity/util/introspection/SecureUberspector.html > > > On Thu, Nov 17, 2022 at 7:25 PM Alex O'Ree <alexo...@apache.org> wrote: > > > From what i understand, velocity scripts basically allow someone to call > > any valid java code or velocity tag. Is there any api or some plugin > > infrastructure that exists and i could use to constrain which classes can > > be called by velocity? > > > > For example, i want to prevent API calls to java.net.URL or perhaps > > whitelist a set of classes or tags that a user can execute via velocity. > is > > this a thing? > > > -- > > Bradley Wagner > VP Product, Hannon Hill > p. 678-904-6900 x115 > w. www.hannonhill.com > e bradley.wag...@hannonhill.com >
